b'     Department of Homeland Security\n\n     \xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\n\n\n Information Technology Management Letter for the \n\nUnited States Coast Guard Component of the FY 2013 \n\n         Department of Homeland Security\xe2\x80\x99s \n\n              Financial Statement Audit \n\n\n\n\n\nOIG-14-88                                  May 2014\n\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n                                 Washington, DC 20528 / www.oig.dhs.gov\n\n\n\xc2\xa0      \xc2\xa0      \xc2\xa0       \xc2\xa0      \xc2\xa0       May\xc2\xa02,\xc2\xa02014\xc2\xa0\n                                            \xc2\xa0\nMEMORANDUM\xc2\xa0FOR:\t\xc2\xa0\xc2\xa0           Rear\xc2\xa0Admiral\xc2\xa0Robert\xc2\xa0Day\xc2\xa0\n                             Chief\xc2\xa0Information\xc2\xa0Officer\xc2\xa0\n\xc2\xa0      \xc2\xa0      \xc2\xa0       \xc2\xa0      United\xc2\xa0States\xc2\xa0Coast\xc2\xa0Guard\xc2\xa0\n\xc2\xa0\n                             Rear\xc2\xa0Admiral\xc2\xa0Stephen\xc2\xa0P.\xc2\xa0Metruck\xc2\xa0\xc2\xa0\n                             Chief\xc2\xa0Finan\xc2\xa0cial\xc2\xa0Officer\xc2\xa0\n\xc2\xa0      \xc2\xa0      \xc2\xa0       \xc2\xa0      United\xc2\xa0States\xc2\xa0Coast\xc2\xa0Guard\xc2\xa0\n\xc2\xa0\nFROM:\n\xc2\xa0                      Richard\xc2\xa0Harsche\xc2\xa0\n                             Acting\xc2\xa0Assistant\xc2\xa0Inspector\xc2\xa0General\xc2\xa0\n                             Office\xc2\xa0of\xc2\xa0Information\xc2\xa0Technology\xc2\xa0Audits\xc2\xa0\n\xc2\xa0\nSUBJECT:\t\xc2\xa0                   Information\xc2\xa0Technology\xc2\xa0Management\xc2\xa0Letter\xc2\xa0for\xc2\xa0the\xc2\xa0United\xc2\xa0\n                             States\xc2\xa0Coast\xc2\xa0Guard\xc2\xa0Component\xc2\xa0of\xc2\xa0the\xc2\xa0FY\xc2\xa02013\xc2\xa0Department\xc2\xa0\n                             of\xc2\xa0Homeland\xc2\xa0Security\xe2\x80\x99s\xc2\xa0Financial\xc2\xa0Statement\xc2\xa0Audit\xc2\xa0\n\xc2\xa0\nAttached\xc2\xa0for\xc2\xa0your\xc2\xa0information\xc2\xa0is\xc2\xa0our\xc2\xa0final\xc2\xa0report,\xc2\xa0Information\xc2\xa0Technology\xc2\xa0Management\xc2\xa0\nLetter\xc2\xa0for\xc2\xa0the\xc2\xa0United\xc2\xa0States\xc2\xa0Coast\xc2\xa0Guard\xc2\xa0Component\xc2\xa0of\xc2\xa0the\xc2\xa0FY\xc2\xa02013\xc2\xa0Department\xc2\xa0of\xc2\xa0\nHomeland\xc2\xa0Security\xe2\x80\x99s\xc2\xa0Financial\xc2\xa0Statement\xc2\xa0Audit.\xc2\xa0This\xc2\xa0report\xc2\xa0contains\xc2\xa0comments\xc2\xa0and\xc2\xa0\nrecommendations\xc2\xa0related\xc2\xa0to\xc2\xa0information\xc2\xa0technology\xc2\xa0internal\xc2\xa0control\xc2\xa0deficiencies\xc2\xa0that\xc2\xa0\nwere\xc2\xa0not\xc2\xa0required\xc2\xa0to\xc2\xa0be\xc2\xa0reported\xc2\xa0in\xc2\xa0the\xc2\xa0Independent\xc2\xa0Auditors\xe2\x80\x99\xc2\xa0Report.\xc2\xa0\xc2\xa0\xc2\xa0\n\xc2\xa0\nWe\xc2\xa0contracted\xc2\xa0with\xc2\xa0the\xc2\xa0independent\xc2\xa0public\xc2\xa0accounting\xc2\xa0firm\xc2\xa0KPMG\xc2\xa0LLP\xc2\xa0(KPMG)\xc2\xa0to\xc2\xa0\nconduct\xc2\xa0the\xc2\xa0audit\xc2\xa0of\xc2\xa0Department\xc2\xa0of\xc2\xa0Homeland\xc2\xa0Security\xc2\xa0fiscal\xc2\xa0year\xc2\xa02013\xc2\xa0consolidated\xc2\xa0\nfinancial\xc2\xa0statements.\xc2\xa0The\xc2\xa0contract\xc2\xa0required\xc2\xa0that\xc2\xa0KPMG\xc2\xa0perform\xc2\xa0its\xc2\xa0audit\xc2\xa0according\xc2\xa0to\xc2\xa0\ngenerally\xc2\xa0accepted\xc2\xa0government\xc2\xa0auditing\xc2\xa0standards\xc2\xa0and\xc2\xa0guidance\xc2\xa0from\xc2\xa0the\xc2\xa0Office\xc2\xa0of\xc2\xa0\nManagement\xc2\xa0and\xc2\xa0Budget\xc2\xa0and\xc2\xa0the\xc2\xa0Government\xc2\xa0Accountability\xc2\xa0Office.\xc2\xa0KPMG\xc2\xa0is\xc2\xa0\nresponsible\xc2\xa0for\xc2\xa0the\xc2\xa0attached\xc2\xa0management\xc2\xa0letter\xc2\xa0dated\xc2\xa0March\xc2\xa011,\xc2\xa02014,\xc2\xa0and\xc2\xa0the\xc2\xa0\nconclusion\xc2\xa0expressed\xc2\xa0in\xc2\xa0it.\xc2\xa0\n\xc2\xa0\nPlease\xc2\xa0call\xc2\xa0me\xc2\xa0with\xc2\xa0any\xc2\xa0questions,\xc2\xa0or\xc2\xa0your\xc2\xa0staff\xc2\xa0may\xc2\xa0contact\xc2\xa0Sharon\xc2\xa0Huiswoud,\xc2\xa0Director,\xc2\xa0\nInformation\xc2\xa0Systems\xc2\xa0Audit\xc2\xa0Division,\xc2\xa0at\xc2\xa0(202)\xc2\xa0254\xe2\x80\x905451.\xc2\xa0\n\xc2\xa0\nAttachment\xc2\xa0\n\xc2\xa0                             \xc2\xa0\n\x0c                                KPMG LLP\n                                Suite 12000\n                                1801 K Street, NW\n                                Washington, DC 20006\n\n\n\n\nMarch 11, 2014\n\n\nOffice of Inspector General,\nU.S. Department of Homeland Security, and\n\nChief Information Officer and Chief Financial Officer,\n\nU.S. Department of Homeland Security United States Coast Guard\n\nLadies and Gentlemen:\n\nWe have audited the financial statements of the U.S. Department of Homeland Security (DHS or\nDepartment) for the year ended September 30, 2013 (referred to herein as the \xe2\x80\x9cfiscal year (FY) 2013\nfinancial statements\xe2\x80\x9d), and have issued our report thereon dated December 11, 2013. In planning and\nperforming our audit of the financial statements of DHS, in accordance with auditing standards\ngenerally accepted in the United States of America and Government Auditing Standards, we\nconsidered internal control over financial reporting (internal control) as a basis for designing our\nauditing procedures for the purpose of expressing our opinion on the financial statements. In\nconjunction with our audit of the financial statements, we also performed an audit of internal control\nover financial reporting in accordance with attestation standards issued by the American Institute of\nCertified Public Accountants.\n\nIn accordance with Government Auditing Standards, our Independent Auditors\xe2\x80\x99 Report, dated\nDecember 11, 2013, included internal control deficiencies identified during our audit that, in aggregate,\nrepresented a material weakness in information technology (IT) controls and financial system\nfunctionality at the DHS Department-wide level. This letter represents the separate limited distribution\nreport mentioned in that report, of matters related to the U.S. Coast Guard (USCG or Coast Guard).\n\nDuring our audit we noted certain matters involving internal control and other operational matters that\nare presented for your consideration. These comments and recommendations, all of which have been\ndiscussed with the appropriate members of management and communicated through Notices of\nFindings and Recommendations (NFRs), are intended to improve internal control or result in other\noperating efficiencies and are summarized as described below.\n\nWith respect to Coast Guard\xe2\x80\x99s financial systems\xe2\x80\x99 IT controls, we noted certain matters in the areas of\nsecurity management, access controls, and configuration management. These matters are described in\nthe General IT Control Findings and Recommendations section of this letter.\n\nThe Table of Contents identifies each section of the letter. We have provided a description of key\nCoast Guard financial systems and IT infrastructure within the scope of the FY 2013 DHS financial\nstatement audit in Appendix A, and a listing of each IT NFR communicated to management during our\naudit in Appendix B.\n\n\n\n\n                               KPMG LLP is a Delaware limited liability partnership,\n                               the U.S. member firm of KPMG International Cooperative\n                               (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cDuring our audit we noted certain matters involving financial reporting internal controls (comments\nnot related to IT) and other operational matters, including certain deficiencies in internal control that\nwe consider to be significant deficiencies and material weaknesses, and communicated them in writing\nto management and those charged with governance in our Independent Auditors\xe2\x80\x99 Report and in a\nseparate letter to the Office of Inspector General and the DHS Chief Financial Officer.\n\nOur audit procedures are designed primarily to enable us to form an opinion on the financial statements\nand on the effectiveness of internal control over financial reporting, and therefore may not bring to\nlight all deficiencies in policies or procedures that may exist. We aim, however, to use our knowledge\nof DHS\xe2\x80\x99 organization gained during our work to make comments and suggestions that we hope will be\nuseful to you.\n\nWe would be pleased to discuss these comments and recommendations with you at any time.\n\nThe purpose of this letter is solely to describe comments and recommendations intended to improve\ninternal control or result in other operating efficiencies. Accordingly, this letter is not suitable for any\nother purpose.\n\nVery truly yours,\n\x0c                                  Department of Homeland Security\n                             Information Technology Management Letter\n                                          U.S. Coast Guard\n                                        September 30, 2013\n\n\n                                    TABLE OF CONTENTS\n\n                                                                                           Page\nObjective, Scope, and Approach                                                              2\n\nSummary of Findings                                                                         4\n\nGeneral IT Control Findings and Recommendations                                             5\n\n   Findings                                                                                 5\n\n       Security Management                                                                  5\n\n       Access Controls                                                                      5\n\n       Configuration Management                                                             6\n\n   Recommendations                                                                          6\n\n       Security Management                                                                  6\n\n       Access Controls                                                                      6\n\n       Configuration Management                                                             7\n\nIT Application Controls                                                                     7\n\n\n                                          APPENDICES\n\nAppendix                                     Subject                                       Page\n           Description of Key Coast Guard Financial Systems and IT Infrastructure within    8\n   A\n           the Scope of the FY 2013 DHS Financial Statement Audit \n\n   B       FY 2013 IT Notices of Findings and Recommendations at Coast Guard                11\n\n\n\n\n\n                                                 1\n\n\x0c                                    Department of Homeland Security\n                               Information Technology Management Letter\n                                            U.S. Coast Guard\n                                          September 30, 2013\n\n\n                              OBJECTIVE, SCOPE, AND APPROACH\n\n\nObjective\n\nWe have audited the financial statements of the U.S. Department of Homeland Security (DHS or\nDepartment) for the year ended September 30, 2013 (referred to herein as the \xe2\x80\x9cfiscal year (FY) 2013\nfinancial statements\xe2\x80\x9d). In connection with our audit of the FY 2013 financial statements, we performed an\nevaluation of selected general information technology (IT) controls (GITCs) and IT application controls\nat the U.S. Coast Guard (USCG or Coast Guard) to assist in planning and performing our audit\nengagement.\n\nScope\n\nThe scope of our GITC and IT application control test work is described in Appendix A, which provides a\ndescription of the key Coast Guard financial systems and IT infrastructure within the scope of the Coast\nGuard component of the FY 2013 DHS consolidated financial statement audit.\n\nApproach\n\nGeneral Information Technology Controls\n\nThe Federal Information System Controls Audit Manual (FISCAM), issued by the U.S. Government\nAccountability Office, formed the basis of our GITC evaluation procedures.\n\nFISCAM was designed to inform financial statement auditors about IT controls and related audit concerns\nto assist them in planning their audit work and to integrate the work of auditors with other aspects of the\nfinancial statement audit. FISCAM also provides guidance to auditors when considering the scope and\nextent of review that generally should be performed when evaluating GITCs and the IT environment of a\nFederal agency. FISCAM defines the following five control categories to be essential to the effective\noperation of GITCs and the IT environment:\n\n\xef\x82\xb7\t Security Management \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity for\n   managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy\n   of computer-related security controls.\n\n   \xef\x82\xb7\t In conjunction with our test work of security management GITCs, limited after-hours physical\n      security testing and social engineering at select Coast Guard facilities was conducted to identify\n      potential control deficiencies in non-technical aspects of IT security.\n\n\xef\x82\xb7\t Access Control \xe2\x80\x93 Controls that limit or detect access to computer resources (data, programs,\n   equipment, and facilities) and protect against unauthorized modification, loss, and disclosure.\n\n\xef\x82\xb7\t Configuration Management \xe2\x80\x93 Controls that help to prevent unauthorized changes to information\n   system resources (software programs and hardware configurations) and provide reasonable assurance\n   that systems are configured and operating securely and as intended.\n\n\n                                                    2\n\n\x0c                                    Department of Homeland Security\n                               Information Technology Management Letter\n                                            U.S. Coast Guard\n                                          September 30, 2013\n\n\n   \xef\x82\xb7\t We performed technical information security testing for key Coast Guard network and system\n      devices. The technical security testing was performed from within select DHS facilities and\n      focused on production devices that directly support DHS\xe2\x80\x99 and Coast Guard\xe2\x80\x99s financial processing\n      and key general support systems.\n\n\xef\x82\xb7\t Segregation of Duties \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational structure\n   to manage who can control key aspects of computer-related operations.\n\n\xef\x82\xb7\t Contingency Planning \xe2\x80\x93 Controls that involve procedures for continuing critical operations without\n   interruption, or with prompt resumption, when unexpected events occur.\n\nIT Application Controls\n\nWe performed testing over selected key IT application controls on financial systems and applications to\nassess the financial systems\xe2\x80\x99 internal controls over the input, processing, and output of financial data and\ntransactions. FISCAM defines application controls as the structure, policies, and procedures that apply to\nseparate, individual application systems, such as accounts payable, inventory, or payroll.\n\n\n\n\n                                                     3\n\n\x0c                                    Department of Homeland Security\n                               Information Technology Management Letter\n                                            U.S. Coast Guard\n                                          September 30, 2013\n\n\n                                      SUMMARY OF FINDINGS\n\nDuring FY 2012, Coast Guard took corrective action to address certain prior year IT control deficiencies.\nFor example, Coast Guard made improvements over designing and implementing certain logical access,\nphysical access, and configuration management controls, including controls relative to the scripting\nprocess, over Coast Guard information systems. However, during FY 2013, we continued to identify\nGITC deficiencies related to controls over security management (including deficiencies over physical\nsecurity and security awareness), access control, and configuration management for Coast Guard core\nfinancial and feeder systems and associated General Support System environments.\n\nCollectively, the IT control deficiencies limited Coast Guard\xe2\x80\x99s ability to ensure that critical financial and\noperational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In\naddition, these deficiencies negatively impacted Coast Guard\xe2\x80\x99s internal controls over financial reporting\nand its operations. We consider these deficiencies, in aggregate, to contribute to the IT material weakness\nat the Department level under standards established by the American Institute of Certified Public\nAccountants. In addition, based upon the results of our test work, we noted that Coast Guard contributes\nto the Department\xe2\x80\x99s non-compliance with the relevant federal financial management systems\nrequirements of the Federal Financial Management Improvement Act of 1996.\n\nOf the eight IT Notices of Findings and Recommendations (NFRs) issued during our FY 2013 testing,\nseven were repeat findings, either partially or in whole from the prior year, and one was a new finding.\nThe eight IT NFRs issued represent deficiencies in three of the five FISCAM GITC categories.\n\nThe majority of findings resulted from the lack of properly documented, fully designed and implemented,\nadequately detailed, and consistently implemented financial system controls to comply with DHS\nSensitive Systems Policy Directive 4300A, Information Technology Security Program, requirements and\nNational Institute of Standards and Technology guidance. Specifically, the findings stem from:\n\n    1. Inadequately designed and ineffective access control policies and procedures relating to the\n       management of logical access to financial applications, databases, and support systems;\n    2. Insufficient logging of system events and monitoring of audit logs; and\n    3. Patch, configuration, and vulnerability management control deficiencies within systems.\n\nThese deficiencies may increase the risk that the confidentiality, integrity, and availability of system\ncontrols and Coast Guard financial data could be exploited, thereby compromising the integrity of Coast\nGuard financial data used by management and reported in Coast Guard\xe2\x80\x99s and DHS\xe2\x80\x99 financial statements.\n\nWhile the recommendations made by us should be considered by Coast Guard, it is the ultimate\nresponsibility of Coast Guard management to determine the most appropriate method(s) for addressing\nthe deficiencies identified.\n\n\n\n\n                                                     4\n\n\x0c                                   Department of Homeland Security\n                              Information Technology Management Letter\n                                           U.S. Coast Guard\n                                         September 30, 2013\n\n\n               GENERAL IT CONTROL FINDINGS AND RECOMMENDATIONS\n\n\nFindings\n\nDuring our audit of the FY 2013 DHS financial statements, we identified the following Coast Guard\nGITC deficiencies that, in the aggregate, contribute to the IT material weakness at the Department level.\n\nSecurity Management\n\nAfter-Hours Physical Security Testing\n\nOn June 20, July 15, July 18, and August 16, 2013, we performed after-hours physical security testing to\nidentify risks related to non-technical aspects of IT security. These non-technical IT security aspects\nincluded physical access to printed or electronic media, equipment, or credentials residing within a Coast\nGuard employee\xe2\x80\x99s or contractor\xe2\x80\x99s work area or shared workspaces which could be used by others to gain\nunauthorized access to systems housing financial or other sensitive information. The testing was\nperformed at various USCG locations in Baltimore, Maryland; Martinsburg, West Virginia (WV);\nElizabeth City, North Carolina (NC); and Chesapeake, Virginia (VA) that process, maintain, and/or have\naccess to financial data.\n\nWe observed 52 instances where passwords, keys, unsecured or unlocked credentials and external media,\nand printed materials marked \xe2\x80\x9cFor Official Use Only\xe2\x80\x9d or containing sensitive Personally Identifiable\nInformation were accessible by individuals without a \xe2\x80\x9cneed to know\xe2\x80\x9d.\n\nSocial Engineering\n\nSocial engineering is defined as the act of attempting to manipulate or deceive individuals into taking\naction that is inconsistent with DHS policies, such as divulging sensitive information or allowing /\nenabling computer system access. The term typically applies to trickery or deception for the purpose of\ninformation gathering, or gaining computer system access.\n\nOn July 11, 2013, we performed social engineering testing from a DHS facility to identify risks related to\nCoast Guard personnel awareness of responsibilities for protecting sensitive IT information, including\npersonal system access credentials, from disclosure to unauthorized personnel. We noted two instances\nwhere individuals divulged their Naval and Electronics Supply Support System (NESSS) application\naccount password to KPMG auditors.\n\nAccess Controls\n\n\xef\x82\xb7\t Controls to notify Coast Guard system owners of separated or transferred military and civilian\n   personnel and contractors and to generate reports of separated or transferred individuals to support\n   periodic reviews of system access were not implemented.\n\n\xef\x82\xb7\t Controls to generate, and perform and document independent reviews of, required audit records of\n   events on the Direct Access system were not implemented.\n\n\n                                                    5\n\n\x0c                                   Department of Homeland Security\n                              Information Technology Management Letter\n                                           U.S. Coast Guard\n                                         September 30, 2013\n\n\n\xef\x82\xb7\t Account management activities on Coast Guard financial systems (including Direct Access, Joint\n   Uniform Military Pay System [JUMPS], and NESSS), including periodic recertification of access,\n   were not consistently or timely documented or implemented in accordance with DHS and Coast\n   Guard policy.\n\nConfiguration Management\n\n\xef\x82\xb7\t Password, security patch management, and configuration deficiencies were identified during the\n   vulnerability assessment on hosts supporting USCG financial systems hosted at the Coast Guard\n   Finance Center (FINCEN), Operations Systems Center (OSC), and Aviation Logistics Center (ALC).\n\nRecommendations\n\nWe recommend that the Coast Guard Office of the Chief Information Officer (OCIO) and Office of the\nChief Financial Officer (OCFO), in coordination with the DHS OCIO and the DHS OCFO, make the\nfollowing improvements to Coast Guard\xe2\x80\x98s financial management systems and associated IT security\nprogram.\n\nSecurity Management\n\n\xef\x82\xb7\t Continue to improve training with respect to IT security policies and procedures related to properly\n   securing sensitive DHS and Coast Guard data within physical workspaces and protecting personal\n   system access credentials from disclosure to unauthorized personnel, and perform periodic physical\n   workspace audits and internal social engineering testing to re-enforce training principles.\n\nAccess Controls\n\n\xef\x82\xb7\t Complete efforts to document and implement enterprise-wide processes to ensure that system owners\n   are notified and revoke access from separated or transferred military and civilian personnel and\n   contractors timely in accordance with Coast Guard and DHS requirements.\n\n\xef\x82\xb7\t Implement monitoring controls over the Direct Access audit log generation and review process to\n   ensure that logs are properly configured and secured from unauthorized modification, reviews are\n   performed independently (with respect to segregation of duties principles) and evidence of audit log\n   reviews is retained.\n\n\xef\x82\xb7\t Implement monitoring controls over the account management process to ensure that all users of Coast\n   Guard systems are periodically revalidated in accordance with CBP and DHS requirements. If\n   necessary and justified by operational and business requirements, ensure that documented requests for\n   exceptions from DHS requirements for periodic account recertification follow established processes\n   for DHS exceptions.\n\n\n\n\n                                                   6\n\n\x0c                                  Department of Homeland Security\n                             Information Technology Management Letter\n                                          U.S. Coast Guard\n                                        September 30, 2013\n\n\nConfiguration Management\n\n\xef\x82\xb7\t Implement the specific vendor-recommended corrective actions detailed in the NFRs that were issued\n   for deficiencies identified during our vulnerability assessment.\n\n\n                                 IT APPLICATION CONTROLS\n\nWe conducted testing over certain Core Accounting System (CAS), Financial Procurement Desktop\n(FPD), JUMPS, Direct Access, NESSS, and Aviation Logistics Management Information System\n(ALMIS) application controls supporting in-scope processes during the Coast Guard component of the\nFY 2013 DHS financial statement audit and did not identify any control deficiencies.\n\n\n\n\n                                                 7\n\n\x0c                     Department of Homeland Security\n                Information Technology Management Letter\n                             U.S. Coast Guard\n                           September 30, 2013\n\n\n\n\n                           Appendix A \n\n  Description of Key Coast Guard Financial Systems and IT \n\nInfrastructure within the Scope of the FY 2013 DHS Financial \n\n                       Statement Audit \n\n\n\n\n\n                                   8\n\n\x0c                                                                                                Appendix A\n\n                                     Department of Homeland Security\n                                Information Technology Management Letter\n                                             U.S. Coast Guard\n                                           September 30, 2013\n\n\nBelow is a description of significant Coast Guard financial management systems and supporting IT\ninfrastructure included in the scope of the Coast Guard component of the DHS FY 2013 financial\nstatement audit.\n\nCore Accounting System (CAS)\n\nCAS is the core accounting system that records financial transactions and generates financial statements\nfor the Coast Guard. CAS is hosted at FINCEN in VA. CAS interfaces with FPD, also located at\nFINCEN. CAS is used by financial management individuals as CAS is the main system of record for\nfinancial information. CAS has a Hewlett-Packard (HP) UNIX operating system with an Oracle database,\nand the organizations responsible for CAS are FINCEN, Coast Guard OCFO, and Coast Guard OCIO.\n\nFinancial Procurement Desktop (FPD)\n\nThe FPD application is used to create and post obligations to the core accounting system. It allows users\nto enter funding, create purchase requests, issue procurement documents, perform system administration\nresponsibilities, and reconcile weekly program element status reports. FPD is interconnected with the\nCAS system and is located at the FINCEN in VA, and has an HP UNIX operating system and Oracle\ndatabase. The organizations responsible for CAS are FINCEN, Coast Guard OCFO, and Coast Guard\nOCIO.\n\nJoint Uniform Military Pay System (JUMPS)\n\nJUMPS is an IBM zOS mainframe application and database that is used for paying USCG active and\nreserve payroll and is mainly used by Pay and Personnel Center (PPC) employees. JUMPS is located at\nthe Burlington Northern Santa Fe data center in Kansas. The responsible organization for JUMPS is PPC,\nwhich falls under the purview of the Coast Guard OCIO.\n\nDirect Access\n\nDirect Access is the system of record for all functionality, data entry, and processing of payroll events for\nthe Coast Guard. Every Coast Guard employee is a user of the system. Employees may use Direct Access\nto correct their own personal information, such as address and beneficiaries. The main financial users use\nDirect Access to process payroll events and change personnel records such as pay scales. Up until June\n2013, Direct Access was maintained by IBM Application On Demand (IBM AOD) in the iStructure data\ncenter facility in Arizona (AZ) with an automated backup site located in a Qwest data center in VA.\nStarting in June 2013, Direct Access is maintained by Addx Corporation and is located in VA. Direct\nAccess is a PeopleSoft application residing on servers operating the Solaris and Windows Server 2000\noperating systems and is supported by an Oracle database. The responsible organization for Direct Access\nis the Coast Guard OCIO.\n\nGlobal Pay (Direct Access II)\n\nGlobal Pay provides retiree and annuitant support services. Until June 2013, Global Pay was maintained\nby IBM AOD in the iStructure data center facility in AZ with an automated backup site located in a\n\n                                                     9\n\n\x0c                                                                                           Appendix A\n\n                                  Department of Homeland Security\n                             Information Technology Management Letter\n                                          U.S. Coast Guard\n                                        September 30, 2013\n\n\nQwest data center in VA. Starting in June 2013, Global Pay is maintained by Addx Corporation and is\nlocated in VA. Global Pay is a PeopleSoft application residing on servers operating the IBM xSeries\noperating system and is supported by an Oracle database. The responsible organization for Global Pay is\nthe Coast Guard OCIO.\n\nNaval and Electronics Supply Support System (NESSS)\n\nNESSS is one of four automated information systems that comprise the family of Coast Guard logistics\nsystems. NESSS is a fully integrated system linking the functions of provisioning and cataloging, unit\nconfiguration, supply and inventory control, procurement, depot-level maintenance and property\naccountability, and a full financial general ledger. NESSS is used by both financial and logistics\npersonnel across numerous Coast Guard locations. NESSS is located at the OSC in WV, resides on\nservers operating the Microsoft Windows 2003 and HP/UNIX operating systems, and is supported by an\nOracle database. The responsible organizations for NESSS are the Office of Logistics Program\nManagement and OSC, which act under the purview of the Coast Guard OCIO.\n\nAviation Logistics Management Information System (ALMIS)\n\nALMIS provides Coast Guard Aviation logistics management support in the areas of operations,\nconfiguration management, maintenance, supply, procurement, financial, and business intelligence.\nAdditionally, ALMIS covers the following types of information: Financial, Budget, Planning, Aircraft &\nCrew Status, Training & Readiness, and Logistics & Supply. The Aviation Maintenance Management\nInformation System, a subcomponent of ALMIS, functions as the inventory management/fiscal\naccounting component of the ALMIS application. The Aircraft Repair & Supply Center Information\nSystems Division in NC hosts the ALMIS application. ALMIS is used by both financial and logistics\npersonnel across numerous Coast Guard locations. ALMIS is located at the ALC in NC and has a HP\nUNIX operating system and a Haley database. The responsible organization for ALMIS is ALC.\n\n\n\n\n                                                  10\n\n\x0c                     Department of Homeland Security\n                Information Technology Management Letter\n                             U.S. Coast Guard\n                           September 30, 2013\n\n\n\n\n                           Appendix B \n\nFY 2013 IT Notices of Findings and Recommendations at Coast \n\n                           Guard\n\n\n\n\n\n                                  11\n\n\x0c                                                                                                                                       Appendix B\n\n                                                      Department of Homeland Security\n                                                 Information Technology Management Letter\n                                                              U.S. Coast Guard\n                                                            September 30, 2013\n\n\nFY 2013 NFR #                                        NFR Title                                          FISCAM Control Area       New     Repeat\n                                                                                                                                  Issue    Issue\n CG-IT-13-01    Lack of Consistent Contractor, Civilian, and Military Account Termination                  Access Controls                  X\n                Notification Process for Coast Guard Systems\n CG-IT-13-02    Weakness in Direct Access Audit Logs and Segregation of Duties                             Access Controls                  X\n CG-IT-13-03    Weakness in Direct Access Annual User Recertification                                      Access Controls                  X\n CG-IT-13-04    Security Awareness Issues Identified During Social Engineering Testing at Surface        Security Management                X\n                Forces Logistics Center\n CG-IT-13-05    Security Awareness Issues Identified during After-Hours Physical Security Testing at     Security Management                X\n                the Surface Forces Logistics Center, OSC, ALC, and FINCEN\n CG-IT-13-06    Access and Configuration Management Controls - Vulnerability Assessment                Configuration Management             X\n CG-IT-13-07    Weakness in JUMPS Annual User Recertification                                              Access Controls         X\n CG-IT-13-08    Weakness in NESSS Annual User Recertification                                              Access Controls                  X\n\n\n\n\n                                                                        12\n\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\n\n   Appendix A\n   Report Distribution\n   Department of Homeland Security\n\n   Secretary\n   Deputy Secretary\n   Chief of Staff\n   Deputy Chief of Staff\n   General Counsel\n   Executive Secretary\n   Director, GAO/OIG Liaison Office\n   Assistant Secretary for Office of Policy\n   Assistant Secretary for Office of Public Affairs\n   Assistant Secretary for Office of Legislative Affairs\n   Under Secretary for Management\n   Chief Financial Officer\n   Chief Information Officer\n   Chief Information Security Officer\n   Chief Privacy Officer\n\n   Office of Management and Budget\n\n   Chief, Homeland Security Branch\n   DHS OIG Budget Examiner\n\n   Congress\n\n   Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\nwww.oig.dhs.gov                                                            OIG-14-88\n\x0cADDITIONAL INFORMATION\n\nTo view this and any of our other reports, please visit our website at: www.oig.dhs.gov.\n\nFor further information or questions, please contact Office of Inspector General (OIG)\nOffice of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov, or follow us on\nTwitter at: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto:\n\n       Department of Homeland Security \n\n       Office of Inspector General, Mail Stop 0305 \n\n       Attention: Office of Investigations Hotline \n\n       245 Murray Drive, SW \n\n       Washington, DC 20528-0305 \n\n\nYou may also call 1(800) 323-8603 or fax the complaint directly to us at\n(202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'